SlideShare une entreprise Scribd logo

Risks in the Software Supply Chain

Sonatype
Sonatype

This presentation highlights the use and role of open source and 3rd party components in a software supply chain.

Technologie
1  sur  25
Télécharger pour lire hors ligne
© 2015 Carnegie Mellon University Risks in the Software Supply Chain Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Mark Sherman, Ph.D. Technical Director, CERT Jan 15, 2015
2 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Copyright 2015 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon®, CERT® and CMMI® are registered marks of Carnegie Mellon University. DM-0002130
3 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Conventional view of supply chain risk Sources: http://www.nytix.com/NewYorkCity/articles/handbags.html; http://www.laserwisetech.co.nz/secret.php; http://www.muscatdaily.com/Archive/Oman/Fake-car-parts-contribute-to-rise-in-road-accidents-Experts; http://www.andovercg.com/services/cisco-counterfeit-wic-1dsu-t1.shtml; http://unites-systems.com/l.php?id=191
4 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Software is the new hardware – IT IT moving from specialized hardware to software, virtualized as • Servers: virtual CPUs • Storage: SANs • Switches: Soft switches • Networks: Software defined networks
5 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University • Cellular • Main processor • Base band processor • Secure element (SIM) • Automotive • Up to 100 networked CPUs in luxury cars • Vehicle to infrastructure (V2I) • Vehicle to vehicle (V2V) • Industrial and home automation • 3D printing (additive manufacturing) • Autonomous robots • Interconnected SCADA • Aviation • 80% of airplane function in software • Next Gen air traffic control • Smart grid • Smart electric meters • Smart metering infrastructure • Embedded medical devices Software is the new hardware – cyber physical
6 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Software is the new hardware – everything 90 percent of [Samsung’s] products -- which includes everything from smartphones to refrigerator-- would be able to connect to the Web by 2017. In five years, every product in the company's entire catalog would be Internet connected. B.K. Yoon, Samsung co-CEO CNET Jan 5, 2015 Source: http://www.cnet.com/news/samsung-co-ceo-in-5-years-all-our-products-will-be-internet-connected/ http://www.wsj.com/articles/SB10001424053111903480904576512250915629460 Software is eating the world. Marc Andreessen, WSJ, Aug 20,2011
7 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Evolution of software development Custom development – context: • Software was limited  Size  Function  Audience • Each organization employed developers • Each organization created their own software Shared development – ISVs (COTS) – context: • Function largely understood  Automating existing processes • Grown beyond ability for using organization to development economically • Outside of core competitiveness by acquirers Supply chain: practically none Supply chain: software supplier
8 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Development is now assembly General Ledger SQL Server WebSphere HTTP server XML Parser Oracle DB SIP servlet container GIF library Note: hypothetical application composition Collective development – context: • Too large for single organization • Too much specialization • Too little value in individual components Supply chain: long
9 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Software supply chain for assembled software Expanding the scope and complexity of acquisition and deployment Visibility and direct program office controls are limited (only in shaded area) Source: “Scope of Supplier Expansion and Foreign Involvement” graphic in DACS www.softwaretechnews.com Secure Software Engineering, July 2005 article “Software Development Security: A Risk Management Perspective” synopsis of May 2004 GAO-04- 678 report “Defense Acquisition: Knowledge of Software Suppliers Needed to Manage Risks”
10 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Corruption along the supply chain is easy Knowledgeable analysts can convert packaged binary into malware in minutes Sources: Pedro Candel, Deloitte CyberSOC Academy , Deloitte http://www.8enise.webcastlive.es/webcast.htm?video=08; http://www.microsoft.com/Products/Games/FSInsider/freeflight/PublishingImages/scene.jpg; https://www.withfriendship.com/user/mithunss/easter-eggs-in-microsoft-products.php Unexpected or unintended behaviors in components
11 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Substantial open source contained in supply chain • At least 75% of organizations rely on open source as the foundation of their applications • Most applications are now assembled from hundreds of open source components, often reflecting as much as 90% of an application. Distributed development – context: • Amortize expense • Outsource non-differential features • Lower acquisition (CapEx) expense Source: Sonatype, 2014 Sonatype Open Source Development and Application Security Survey Supply chain: opaque
12 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Open source supply chain has a long path App server HTTP server XML Parser C Libraries C compiler Generated Parser Parser Generator 2nd Compiler
13 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Versions of Android illustrate open source fragmentation Source: http://opensignal.com/reports/fragmentation.php .
14 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Open source is not secure Heartbleed and Shellshock were found by exploitation Other open source software illustrates vulnerabilities from cursory inspection Sources: Steve Christey (MITRE) & Brian Martin (OSF), Buying Into the Bias: Why Vulnerability Statistics Suck, https://media.blackhat.com/us-13/US-13-Martin-Buying-Into-The-Bias-Why-Vulnerability-Statistics- Suck-Slides.pdf; Sonatype, Sonatype Open Source Development and Application Security Survey 46 million vulnerable open source components downloaded annually
15 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Reducing software supply chain risk factors Software supply chain risk for a product needs to be reduced to acceptable level Supplier follows practices that reduce supply chain risks Delivered or updated product is acceptably secure Product Distribution Operational Product Control Product is used in a secure manner Methods of transmitting the product to the purchaser guard again tampering Product Security Supplier Capability
16 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Supplier security commitment evidence Supplier employees are educated as to security engineering practices • Documentation for each engineer of training and when trained/retrained • Revision dates for training materials • Lists of acceptable credentials for instructors • Names of instructors and their credentials Supplier follows suitable security design practices • Documented design guidelines • Provides evidence that design and coding weaknesses that affect security have been addressed (Common Weakness Enumeration (CWE)) • Has analyzed attack patterns appropriate to the design such as those that are included in Common Attack Pattern Enumeration and Classification (CAPEC)
17 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Evaluate a product’s threat resistance What product characteristics minimize opportunities to enter and change the product’s security characteristics? • Attack surface evaluation: Exploitable features have been identified and eliminated where possible – Access controls – Input/output channels – Attack enabling applications – email, Web – Targets • Design and coding weaknesses associated with exploitable features have been identified and mitigated (CWE) • Independent validation and verification of threat resistance
18 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Establishing good product distribution practices Recognize that supply chain risks are accumulated • Subcontractor/COTS-product supply chain risk is inherited by those that use that software, tool, system, etc. Apply to the acquiring organizations and their suppliers • Require good security practices by their suppliers • Assess the security of delivered products • Address the additional risks associated with using the product in their context
19 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Maintain attack resistance Who assumes responsibility for preserving product attack resistance with product deployment? • Patching and version upgrades • Expanded distribution of usage • Expanded integration Usage changes the attack surface and potential attacks for the product • Change in feature usage or risks • Are supplier risk mitigations adequate for desired usage? • Effects of vendor upgrades/patches and local configuration changes • Effects of integration into operations (system of systems)
20 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University What about open source? Establish a supplier for open source • Self • 3rd party focusing on open source Subject to same evaluation • Supplier capability • Product security • Product distribution • Operational product control Source: http://opensource.org/
21 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Business decisions are about risk There are many risks to a business process or mission thread • Within a system • Collection of systems Supply chain is one of many risk components Evaluate software supply chain risk in the larger context of • Supply chain risk • System risk • System of systems risk
22 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Security Engineering Risk Analysis (SERA ) 1. Establish operational context. 2. Identify risk. 3. Analyze risk. 4. Develop control plan. Mission Thread / Business Process Worksheet Risk Identification Worksheet Risk Evaluation Criteria Risk Analysis Worksheet Control Approach Worksheet Control Plan Worksheet
23 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Where to start Anywhere • 76% do not have meaningful controls over what components are in their applications • 81% do not coordinate their security practices in various stages of the development life cycle • 47% do not perform acceptance tests for third-party code Plenty of models to choose from BSIMM: Building Security in Maturity Model CMMI: Capability Maturity Model Integration for Acquisitions PRM: SwA Forum Processes and Practices Group Process Reference Model RMM: CERT Resilience Management Model SAMM: OWASP Open Software Assurance Maturity Model Sources: Sonatype, 2014 Sonatype Open Source Development and Application Security Survey; Forrester Consulting, “State of Application Security,” January 2011
24 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Further reading Alberts, Christopher, et al., “Introduction to the Security Engineering Risk Analysis (SERA) Fraemwork,” Software Engineering Institute, Nov 2014, http://resources.sei.cmu.edu/asset_files/TechnicalNote/2014_004_001_427329.pdf Axelrod, C. Warren, “Mitigating Software Supply Chain Risk,” ISCA Journal Online, Vol 4., 2013, http://www.isaca.org/Journal/Past- Issues/2013/Volume-4/Pages/JOnline-Mitigating-Software-Supply-Chain-Risk.aspx Axelrod, C. Warren, “Malware, Weakware and the Security of Software Supply Chains,” Cross-Talk, March/April 2014, p. 20, http://www.crosstalkonline.org/storage/issue-archives/2014/201403/201403-Axelrod.pdf Ellison, Robert, et al, “Software Supply Chain Risk Management: From Products to Systems of Systems,” Software Engineering Institute, Dec 2010, https://resources.sei.cmu.edu/asset_files/technicalnote/2010_004_001_15194.pdf Ellison, Robert, et al. “Evaluating and Mitigating Software Supply Chain Security Risks,” Software Engineering Institute, May 2010, http://resources.sei.cmu.edu/asset_files/technicalnote/2010_004_001_15176.pdf Ellison, Robert and Woody, Carol, “Supply-Chain Risk Management: Incorporating Security into Software Development,” Proceedings of the 43rd Hawaii International Conference on System Sciences, 2010, http://resources.sei.cmu.edu/asset_files/WhitePaper/2013_019_001_297341.pdf Jarzombek, Joe, “Collaboratively Advancing Strategies to Mitigate Software Supply Chain Risks,” July 30, 2009, http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2009-07/ispab_july09-jarzombek_swa-supply-chain.pdf Software Assurance Forum, Processes and Practices Working Group, “Software Assurance Checklist for Software Supply Chain Risk Management,” https://buildsecurityin.us-cert.gov/sites/default/files/20101208-SwAChecklist.pdf “Software Supply Chain Risk Management & Due-Diligence,” Software Assurance Pocket Guide Series: Acquisition & Outsourcing, Vol II, Version 1.2, June 16, 2009, https://buildsecurityin.us-cert.gov/sites/default/files/DueDiligenceMWV12_01AM090909.pdf
25 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Contact Information Slide Format Mark Sherman Technical Director Cyber Security Foundations Telephone: +1 412-268-9223 Email: mssherman@sei.cmu.edu U.S. Mail Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA 15213-2612 USA Web www.sei.cmu.edu www.sei.cmu.edu/contact.cfm Customer Relations Email: info@sei.cmu.edu Telephone: +1 412-268-5800 SEI Phone: +1 412-268-5800 SEI Fax: +1 412-268-6257

Recommandé

DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
Rise of software supply chain attack
Rise of software supply chain attackRise of software supply chain attack
Rise of software supply chain attack
Yadnyawalkya Tale
 
Guiding Principles for the Low Code Revolution – Intuit QuickBase EMPOWER2015...
Guiding Principles for the Low Code Revolution – Intuit QuickBase EMPOWER2015...Guiding Principles for the Low Code Revolution – Intuit QuickBase EMPOWER2015...
Guiding Principles for the Low Code Revolution – Intuit QuickBase EMPOWER2015...
QuickBase, Inc.
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran
 
Wazuh Security Platform
Wazuh Security PlatformWazuh Security Platform
Wazuh Security Platform
Pituphong Yavirach
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 

Recommandé

DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
Rise of software supply chain attack
Rise of software supply chain attackRise of software supply chain attack
Rise of software supply chain attack
Yadnyawalkya Tale
 
Guiding Principles for the Low Code Revolution – Intuit QuickBase EMPOWER2015...
Guiding Principles for the Low Code Revolution – Intuit QuickBase EMPOWER2015...Guiding Principles for the Low Code Revolution – Intuit QuickBase EMPOWER2015...
Guiding Principles for the Low Code Revolution – Intuit QuickBase EMPOWER2015...
QuickBase, Inc.
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran
 
Wazuh Security Platform
Wazuh Security PlatformWazuh Security Platform
Wazuh Security Platform
Pituphong Yavirach
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
Sameer Paradia
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
How to SRE when you have no SRE
How to SRE when you have no SREHow to SRE when you have no SRE
How to SRE when you have no SRE
Squadcast Inc
 
Security operation center
Security operation centerSecurity operation center
Security operation center
MuthuKumaran267
 
Rapid Strategic SRE Assessments
Rapid Strategic SRE AssessmentsRapid Strategic SRE Assessments
Rapid Strategic SRE Assessments
Marc Hornbeek
 
Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model Presentation
Gowdhaman Jothilingam
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Tomas Honzak
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Joel Divekar
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Cloud Native Application
Cloud Native ApplicationCloud Native Application
Cloud Native Application
VMUG IT
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Raffael Marty
 
SRE-iously! Reliability!
SRE-iously! Reliability!SRE-iously! Reliability!
SRE-iously! Reliability!
New Relic
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
What is network detection and response?
What is network detection and response?What is network detection and response?
What is network detection and response?
Vehere
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
BATbern
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadar
PencilData
 
Cybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply ChainCybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply Chain
Anthony Braddy
 
Balancing speed & agility with security & governance (July 2016)
Balancing speed & agility with security & governance (July 2016)Balancing speed & agility with security & governance (July 2016)
Balancing speed & agility with security & governance (July 2016)
Rajiv Renganathan
 

Contenu connexe

Tendances

Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Raffael Marty
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 

Tendances (20)

2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
How to SRE when you have no SRE
How to SRE when you have no SREHow to SRE when you have no SRE
How to SRE when you have no SRE
 
Security operation center
Security operation centerSecurity operation center
Security operation center
 
Rapid Strategic SRE Assessments
Rapid Strategic SRE AssessmentsRapid Strategic SRE Assessments
Rapid Strategic SRE Assessments
 
Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model Presentation
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
Cloud Native Application
Cloud Native ApplicationCloud Native Application
Cloud Native Application
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
 
SRE-iously! Reliability!
SRE-iously! Reliability!SRE-iously! Reliability!
SRE-iously! Reliability!
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
What is network detection and response?
What is network detection and response?What is network detection and response?
What is network detection and response?
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadar
 

En vedette

En vedette (8)

Cybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply ChainCybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply Chain
 
Balancing speed & agility with security & governance (July 2016)
Balancing speed & agility with security & governance (July 2016)Balancing speed & agility with security & governance (July 2016)
Balancing speed & agility with security & governance (July 2016)
 
Diagnosing Problems in Production - Cassandra
Diagnosing Problems in Production - CassandraDiagnosing Problems in Production - Cassandra
Diagnosing Problems in Production - Cassandra
 
World Copper Production
World Copper ProductionWorld Copper Production
World Copper Production
 
La blockchain et son impact sur le secteur public
La blockchain et son impact sur le secteur publicLa blockchain et son impact sur le secteur public
La blockchain et son impact sur le secteur public
 
Easy Virtual Reality
Easy Virtual RealityEasy Virtual Reality
Easy Virtual Reality
 
Mapping Experiences - O'Reilly Design Conference 2017
Mapping Experiences - O'Reilly Design Conference 2017Mapping Experiences - O'Reilly Design Conference 2017
Mapping Experiences - O'Reilly Design Conference 2017
 
Michael Collins - TBEX International 2017 - How to sell your blog to sponsors...
Michael Collins - TBEX International 2017 - How to sell your blog to sponsors...Michael Collins - TBEX International 2017 - How to sell your blog to sponsors...
Michael Collins - TBEX International 2017 - How to sell your blog to sponsors...
 

Similaire à Risks in the Software Supply Chain

"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
IBM Security
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software Security
Tyler Shields
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - Print
Andrew Kanikuru
 

Similaire à Risks in the Software Supply Chain (20)

Applying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityApplying Software Quality Models to Software Security
Applying Software Quality Models to Software Security
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
 
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
 
Case Closed with IBM Application Security on Cloud infographic
Case Closed with IBM Application Security on Cloud infographicCase Closed with IBM Application Security on Cloud infographic
Case Closed with IBM Application Security on Cloud infographic
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
 
Top 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfTop 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdf
 
New threats to cyber-security
New threats to cyber-securityNew threats to cyber-security
New threats to cyber-security
 
Automotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: The Gap Still ExistsAutomotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: The Gap Still Exists
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Research Article On Web Application Security
Research Article On Web Application SecurityResearch Article On Web Application Security
Research Article On Web Application Security
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software Security
 
Unified application security analyser
Unified application security analyserUnified application security analyser
Unified application security analyser
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
 
Revolution in Mobility
Revolution in MobilityRevolution in Mobility
Revolution in Mobility
 
Research Paper
Research PaperResearch Paper
Research Paper
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product Overview
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - Print
 

Plus de Sonatype

Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the Enterprise
Sonatype
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
Sonatype
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
Sonatype
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
Sonatype
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward Ruiz
Sonatype
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
Sonatype
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with Jenkins
Sonatype
 
Continuous Everyone: Engaging People Across the Continuous Pipeline
Continuous Everyone: Engaging People Across the Continuous PipelineContinuous Everyone: Engaging People Across the Continuous Pipeline
Continuous Everyone: Engaging People Across the Continuous Pipeline
Sonatype
 

Plus de Sonatype (20)

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps Survey
 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the Enterprise
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way Forward
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward Ruiz
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris Swan
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin Collins
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with Jenkins
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure Automation
 
Continuous Everyone: Engaging People Across the Continuous Pipeline
Continuous Everyone: Engaging People Across the Continuous PipelineContinuous Everyone: Engaging People Across the Continuous Pipeline
Continuous Everyone: Engaging People Across the Continuous Pipeline
 
The Road to Continuous Deployment
The Road to Continuous Deployment The Road to Continuous Deployment
The Road to Continuous Deployment
 

Dernier

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Dernier (20)

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 

Risks in the Software Supply Chain

  • 1. © 2015 Carnegie Mellon University Risks in the Software Supply Chain Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Mark Sherman, Ph.D. Technical Director, CERT Jan 15, 2015
  • 2. 2 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Copyright 2015 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon®, CERT® and CMMI® are registered marks of Carnegie Mellon University. DM-0002130
  • 3. 3 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Conventional view of supply chain risk Sources: http://www.nytix.com/NewYorkCity/articles/handbags.html; http://www.laserwisetech.co.nz/secret.php; http://www.muscatdaily.com/Archive/Oman/Fake-car-parts-contribute-to-rise-in-road-accidents-Experts; http://www.andovercg.com/services/cisco-counterfeit-wic-1dsu-t1.shtml; http://unites-systems.com/l.php?id=191
  • 4. 4 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Software is the new hardware – IT IT moving from specialized hardware to software, virtualized as • Servers: virtual CPUs • Storage: SANs • Switches: Soft switches • Networks: Software defined networks
  • 5. 5 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University • Cellular • Main processor • Base band processor • Secure element (SIM) • Automotive • Up to 100 networked CPUs in luxury cars • Vehicle to infrastructure (V2I) • Vehicle to vehicle (V2V) • Industrial and home automation • 3D printing (additive manufacturing) • Autonomous robots • Interconnected SCADA • Aviation • 80% of airplane function in software • Next Gen air traffic control • Smart grid • Smart electric meters • Smart metering infrastructure • Embedded medical devices Software is the new hardware – cyber physical
  • 6. 6 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Software is the new hardware – everything 90 percent of [Samsung’s] products -- which includes everything from smartphones to refrigerator-- would be able to connect to the Web by 2017. In five years, every product in the company's entire catalog would be Internet connected. B.K. Yoon, Samsung co-CEO CNET Jan 5, 2015 Source: http://www.cnet.com/news/samsung-co-ceo-in-5-years-all-our-products-will-be-internet-connected/ http://www.wsj.com/articles/SB10001424053111903480904576512250915629460 Software is eating the world. Marc Andreessen, WSJ, Aug 20,2011
  • 7. 7 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Evolution of software development Custom development – context: • Software was limited  Size  Function  Audience • Each organization employed developers • Each organization created their own software Shared development – ISVs (COTS) – context: • Function largely understood  Automating existing processes • Grown beyond ability for using organization to development economically • Outside of core competitiveness by acquirers Supply chain: practically none Supply chain: software supplier
  • 8. 8 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Development is now assembly General Ledger SQL Server WebSphere HTTP server XML Parser Oracle DB SIP servlet container GIF library Note: hypothetical application composition Collective development – context: • Too large for single organization • Too much specialization • Too little value in individual components Supply chain: long
  • 9. 9 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Software supply chain for assembled software Expanding the scope and complexity of acquisition and deployment Visibility and direct program office controls are limited (only in shaded area) Source: “Scope of Supplier Expansion and Foreign Involvement” graphic in DACS www.softwaretechnews.com Secure Software Engineering, July 2005 article “Software Development Security: A Risk Management Perspective” synopsis of May 2004 GAO-04- 678 report “Defense Acquisition: Knowledge of Software Suppliers Needed to Manage Risks”
  • 10. 10 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Corruption along the supply chain is easy Knowledgeable analysts can convert packaged binary into malware in minutes Sources: Pedro Candel, Deloitte CyberSOC Academy , Deloitte http://www.8enise.webcastlive.es/webcast.htm?video=08; http://www.microsoft.com/Products/Games/FSInsider/freeflight/PublishingImages/scene.jpg; https://www.withfriendship.com/user/mithunss/easter-eggs-in-microsoft-products.php Unexpected or unintended behaviors in components
  • 11. 11 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Substantial open source contained in supply chain • At least 75% of organizations rely on open source as the foundation of their applications • Most applications are now assembled from hundreds of open source components, often reflecting as much as 90% of an application. Distributed development – context: • Amortize expense • Outsource non-differential features • Lower acquisition (CapEx) expense Source: Sonatype, 2014 Sonatype Open Source Development and Application Security Survey Supply chain: opaque
  • 12. 12 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Open source supply chain has a long path App server HTTP server XML Parser C Libraries C compiler Generated Parser Parser Generator 2nd Compiler
  • 13. 13 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Versions of Android illustrate open source fragmentation Source: http://opensignal.com/reports/fragmentation.php .
  • 14. 14 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Open source is not secure Heartbleed and Shellshock were found by exploitation Other open source software illustrates vulnerabilities from cursory inspection Sources: Steve Christey (MITRE) & Brian Martin (OSF), Buying Into the Bias: Why Vulnerability Statistics Suck, https://media.blackhat.com/us-13/US-13-Martin-Buying-Into-The-Bias-Why-Vulnerability-Statistics- Suck-Slides.pdf; Sonatype, Sonatype Open Source Development and Application Security Survey 46 million vulnerable open source components downloaded annually
  • 15. 15 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Reducing software supply chain risk factors Software supply chain risk for a product needs to be reduced to acceptable level Supplier follows practices that reduce supply chain risks Delivered or updated product is acceptably secure Product Distribution Operational Product Control Product is used in a secure manner Methods of transmitting the product to the purchaser guard again tampering Product Security Supplier Capability
  • 16. 16 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Supplier security commitment evidence Supplier employees are educated as to security engineering practices • Documentation for each engineer of training and when trained/retrained • Revision dates for training materials • Lists of acceptable credentials for instructors • Names of instructors and their credentials Supplier follows suitable security design practices • Documented design guidelines • Provides evidence that design and coding weaknesses that affect security have been addressed (Common Weakness Enumeration (CWE)) • Has analyzed attack patterns appropriate to the design such as those that are included in Common Attack Pattern Enumeration and Classification (CAPEC)
  • 17. 17 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Evaluate a product’s threat resistance What product characteristics minimize opportunities to enter and change the product’s security characteristics? • Attack surface evaluation: Exploitable features have been identified and eliminated where possible – Access controls – Input/output channels – Attack enabling applications – email, Web – Targets • Design and coding weaknesses associated with exploitable features have been identified and mitigated (CWE) • Independent validation and verification of threat resistance
  • 18. 18 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Establishing good product distribution practices Recognize that supply chain risks are accumulated • Subcontractor/COTS-product supply chain risk is inherited by those that use that software, tool, system, etc. Apply to the acquiring organizations and their suppliers • Require good security practices by their suppliers • Assess the security of delivered products • Address the additional risks associated with using the product in their context
  • 19. 19 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Maintain attack resistance Who assumes responsibility for preserving product attack resistance with product deployment? • Patching and version upgrades • Expanded distribution of usage • Expanded integration Usage changes the attack surface and potential attacks for the product • Change in feature usage or risks • Are supplier risk mitigations adequate for desired usage? • Effects of vendor upgrades/patches and local configuration changes • Effects of integration into operations (system of systems)
  • 20. 20 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University What about open source? Establish a supplier for open source • Self • 3rd party focusing on open source Subject to same evaluation • Supplier capability • Product security • Product distribution • Operational product control Source: http://opensource.org/
  • 21. 21 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Business decisions are about risk There are many risks to a business process or mission thread • Within a system • Collection of systems Supply chain is one of many risk components Evaluate software supply chain risk in the larger context of • Supply chain risk • System risk • System of systems risk
  • 22. 22 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Security Engineering Risk Analysis (SERA ) 1. Establish operational context. 2. Identify risk. 3. Analyze risk. 4. Develop control plan. Mission Thread / Business Process Worksheet Risk Identification Worksheet Risk Evaluation Criteria Risk Analysis Worksheet Control Approach Worksheet Control Plan Worksheet
  • 23. 23 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Where to start Anywhere • 76% do not have meaningful controls over what components are in their applications • 81% do not coordinate their security practices in various stages of the development life cycle • 47% do not perform acceptance tests for third-party code Plenty of models to choose from BSIMM: Building Security in Maturity Model CMMI: Capability Maturity Model Integration for Acquisitions PRM: SwA Forum Processes and Practices Group Process Reference Model RMM: CERT Resilience Management Model SAMM: OWASP Open Software Assurance Maturity Model Sources: Sonatype, 2014 Sonatype Open Source Development and Application Security Survey; Forrester Consulting, “State of Application Security,” January 2011
  • 24. 24 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Further reading Alberts, Christopher, et al., “Introduction to the Security Engineering Risk Analysis (SERA) Fraemwork,” Software Engineering Institute, Nov 2014, http://resources.sei.cmu.edu/asset_files/TechnicalNote/2014_004_001_427329.pdf Axelrod, C. Warren, “Mitigating Software Supply Chain Risk,” ISCA Journal Online, Vol 4., 2013, http://www.isaca.org/Journal/Past- Issues/2013/Volume-4/Pages/JOnline-Mitigating-Software-Supply-Chain-Risk.aspx Axelrod, C. Warren, “Malware, Weakware and the Security of Software Supply Chains,” Cross-Talk, March/April 2014, p. 20, http://www.crosstalkonline.org/storage/issue-archives/2014/201403/201403-Axelrod.pdf Ellison, Robert, et al, “Software Supply Chain Risk Management: From Products to Systems of Systems,” Software Engineering Institute, Dec 2010, https://resources.sei.cmu.edu/asset_files/technicalnote/2010_004_001_15194.pdf Ellison, Robert, et al. “Evaluating and Mitigating Software Supply Chain Security Risks,” Software Engineering Institute, May 2010, http://resources.sei.cmu.edu/asset_files/technicalnote/2010_004_001_15176.pdf Ellison, Robert and Woody, Carol, “Supply-Chain Risk Management: Incorporating Security into Software Development,” Proceedings of the 43rd Hawaii International Conference on System Sciences, 2010, http://resources.sei.cmu.edu/asset_files/WhitePaper/2013_019_001_297341.pdf Jarzombek, Joe, “Collaboratively Advancing Strategies to Mitigate Software Supply Chain Risks,” July 30, 2009, http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2009-07/ispab_july09-jarzombek_swa-supply-chain.pdf Software Assurance Forum, Processes and Practices Working Group, “Software Assurance Checklist for Software Supply Chain Risk Management,” https://buildsecurityin.us-cert.gov/sites/default/files/20101208-SwAChecklist.pdf “Software Supply Chain Risk Management & Due-Diligence,” Software Assurance Pocket Guide Series: Acquisition & Outsourcing, Vol II, Version 1.2, June 16, 2009, https://buildsecurityin.us-cert.gov/sites/default/files/DueDiligenceMWV12_01AM090909.pdf
  • 25. 25 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Contact Information Slide Format Mark Sherman Technical Director Cyber Security Foundations Telephone: +1 412-268-9223 Email: mssherman@sei.cmu.edu U.S. Mail Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA 15213-2612 USA Web www.sei.cmu.edu www.sei.cmu.edu/contact.cfm Customer Relations Email: info@sei.cmu.edu Telephone: +1 412-268-5800 SEI Phone: +1 412-268-5800 SEI Fax: +1 412-268-6257